Aliyun Skill Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent skill-building toolkit, but it includes under-disclosed helper behavior that can terminate unrelated local processes and send/log skill evaluation content through Anthropic tooling.

Install only if you are comfortable reviewing and controlling the helper scripts. Avoid running the eval viewer on a port used by other work, prefer static output or a free port, and treat --results-dir logs and Anthropic API calls as sensitive because they can contain unpublished skill prompts, eval data, and model responses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _kill_port(port: int) -> None: """Kill any process listening on the given port.""" try: result = subprocess.run( ["lsof", "-ti", f":{port}"], capture_output=True, text=True, timeout=5, )
Confidence: 94% confidence
Finding: result = subprocess.run( ["lsof", "-ti", f":{port}"], capture_output=True, text=True, timeout=5, )

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The `_kill_port` helper will terminate any local process listening on the requested port before starting the viewer, regardless of what that process is. That creates an unnecessary destructive side effect for a review-page utility and can kill unrelated developer tools or services, causing denial of service or data loss if the terminated process was performing work.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The review UI fetches third-party resources from Google Fonts and a SheetJS CDN, which creates unnecessary external network dependencies for a local evaluation tool. This can leak reviewer metadata such as IP address and usage timing to external services, and it expands the trust boundary to remotely hosted code and assets that could be changed, blocked, or compromised.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The file defines two materially different analyzer behaviors in a single agent prompt, but it does not provide an explicit routing condition or mutual exclusion rule beyond a later section header. In practice, this can cause the agent to mix schemas, read the wrong inputs, or write the wrong output format, leading to incorrect analysis artifacts or unintended processing of benchmark versus comparison data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends raw skill content, current descriptions, evaluation results, failed/false trigger examples, and prior attempt history to the Anthropic API. If those inputs contain proprietary prompts, internal test data, customer text, or secrets embedded in skill files or eval artifacts, this creates an external data disclosure path without minimization, redaction, or explicit operator acknowledgement. In this skill-creation context, that risk is somewhat more likely because repository content and eval queries may include unpublished internal material.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persists the full prompt, Claude 'thinking', model response, and parsed description to disk, which can capture sensitive skill content, evaluation queries, internal reasoning traces, and any secrets present in inputs or outputs. Because the log write is automatic whenever log_dir is provided, sensitive data may remain on disk longer than intended and become accessible through backups, shared workspaces, CI artifacts, or other local users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal